Protect Networks and Data with Standards-Based Multi-Factor Authentication
Organizations dealing with sensitive or privileged data often require authentication stronger than traditional user name + password credentials. In some cases, such as in Local Government and law enforcement, there are statutory requirements. For example, the UK OGC Code of Connection specifies stringent user authentication requirements for devices that connect to data on the Government Secure Internet via wireless networks, the Internet or dial-up. All newly procured systems must meet the standards, and existing systems must comply by September 30, 2009. Other regulations call for similar advanced authentication measures.
Mobility XE also supports two-factor authentication in a manner that allows organizations to meet Government standards at minimal cost. It uses the RADIUS-EAP protocol as the front-end to Microsoft’s Active Directory Authentication and Public-Key Infrastructure (PKI). Because the Microsoft PKI infrastructure is bundled with their server operating systems, and with several free or low-cost RADIUS server options available, this approach is a very low-cost and robust option. It is especially useful for Local Authority and public safety agencies that must comply with the Code of Connection requirements, but may not have allocated the budget to bring their systems into compliance.
Mobility XE also supports two-factor authentication in a manner that allows organizations to meet Government standards at minimal cost. It uses the RADIUS-EAP protocol as the front-end to Microsoft’s Active Directory Authentication and Public-Key Infrastructure (PKI). Because the Microsoft PKI infrastructure is bundled with their server operating systems, and with several free or low-cost RADIUS server options available, this approach is a very low-cost and robust option. It is especially useful for Local Authority and public safety agencies that must comply with the Code of Connection requirements, but may not have allocated the budget to bring their systems into compliance.
This RADIUS/PKI approach supports:
- Smart cards. Mobility XE supports PKI smart cards from vendors that meet Microsoft’s smart card mini-driver requirements, and from vendors that provide a Microsoft Cryptographic Service Provider (CSP). Of particular note, Mobility XE supports smart cards conforming to these requirements: US Homeland Security Presidential Directive 12 (HSPD-12); Federal Information Processing Standards Publication 201 (FIPS 201); Personal Identity Verification (PIV) of Federal Security for Wireless Networks White Paper 13 Employees and Contractors; and NIST Special Publication 800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity Verification.
- X.509v3 user certificates. Certificates are supported when stored on the mobile device in a protected location only accessible to users who successfully complete desktop authentication and who provide the user certificate password. Non-Microsoft PKI solutions are supported if they are compatible with X.509v3 user certificates, standard Microsoft CAPI-enabled access to those certificates, and the RADIUS EAP-TLS or EAP-TLS inside PEAP authentication protocol.
- Biometric systems. Mobility XE supports biometric systems where those systems are used in place of a PIN or password to unlock access to X.509v3 certificates. Mobility XE also supports biometric-based user authentication on the Ubtek and Wave biometric systems, which are commonly installed on Lenovo, Itronix, and Dell portable computers.
The combination of device and user authentication makes Mobility XE security stronger than that available in other VPNs. It ties the user authentication (something you know) to the device authentication (something you have), much like a PIN is tied to a bankcard, so that only authorized users with sanctioned devices that have been properly provisioned can connect. This way device authentication can be loosely or tightly tied to a users authentication.
Mobility XE can be configured to allow a user to authenticate with any device that has successfully completed device authentication; or to limit the user to logging in with one or a few specifically identified devices.
Mobility XE can be configured to allow a user to authenticate with any device that has successfully completed device authentication; or to limit the user to logging in with one or a few specifically identified devices.